S.

No

Name

Brief

Details

1 ITIL

IT service management ITIL V3

The Information Technology Infrastructure Library (ITIL), is a set of bestpractices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business. Is best practice in IT Service Management, developed by OGC and supported by publications, qualifications and an international user group Assist organisations to develop a framework for IT Service Management Worldwide, most widely used best practice for IT Service Management Consists of a series of Core books giving guidance on the provision of quality IT services Covers service management and operations

2 ISO 20000 3 ISO 27000

Service management operation Information Security

The Standard is divided into two distinct parts: Part 1 provides the requirements for IT service management to gain certification This is relevant to those responsible for initiating, implementing or maintaining IT service management in their organization Senior Management are responsible and accountable for ensuring all requirements of Part One are met if Certification is sought Part 2 - Code of Practice for Service Management Provides guidance to internal auditors and assists service providers planning service improvements or preparing for audits against ISO 20000 Part 3 - Scope & Applicability Advice on scoping for service management Planning & improvements This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard

ISO 27001

The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world. The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. Published in December 2009, ISO 27004 provides guidance on the development and use of measures and measurement for the assessment of the effectiveness of an implemented information security management system and controls, as specified in ISO 27001. The appendix of the document also suggests metrics which were selected to align with ISO 27002. ISO 27005 is the name of the prime 27000 series standard covering information security risk management. The standard provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO 27001.

ISO 27002

ISO 27003

ISO 27004

ISO 27005

ISO 27006 4 SOX 404 5 SAS 70

This is the standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. Again it was overseen by ISO's committee SC 27. The previous standard related to this issue was EA 7/03. This has effectively been replaced by the new standard, to meet market demands to better support ISO 27001. It effectively documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements.

6 COBIT

COBIT is a widely-utilized framework containing best practices for both ITGC and application controls. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.

Control OBjectives for Information and related Technology Originally released in 1996 by the Information Systems Audit and Control Foundation (ISACF) Current primary publisher is the IT Governance Institute - formed by the Information Systems Audit and Control Association (ISACA) in 1998 COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc. The above sources were used to formulate COBIT to be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organization.

7 ITGC

Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ITGC represent the foundation of the IT control structure. They help ensure the ensure that business reliability of data generated by IT systems and support the assertion that objectives are met. systems operate as intended and that output is reliable. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment, risk assessment, control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provide a similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-formoney issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate.

8 COSO 9 CMMI

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

PCI-DSS version 2 released in october 10 2010

Areas covered Service Support -- Incident Management -- Problem Management -- Change Management -- Release Management -- Configuration Management Service Delivery -- Service level management -- Availability Management -- Capacity Management -- IT service continuity management -- Finanacial management for IT services Service desk - ITIL function

Checklist

Management Systems - Management Responsibility, Documentation Requirements, Competences, Awareness & Training Planning and implementation Planning new services

The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate

Change management procedures Source code/document version control Software development life cycle Logical Access Incident Management Problem management Technical Support Hardware/software Disaster recovery Physical Security

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Management Systems Planning & Implementation Planning New Services

Management Responsibility, D Requirements, Competences,

Plan, Implement, Monitor, Imp (Plan. Do. Check.. Act

Planning & Implementing New

Service Delivery Processes

Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting

Infor Man Budg IT Se

Control Processes
Configuration Management Change Management

Release Processes
Release Management

Resolution Processes
Incident Management Problem Management

Rela

Busi Man Supp

gement Responsibility, Documentation rements, Competences, Awareness & Training

Implement, Monitor, Improve . Do. Check.. Act)

ing & Implementing New or Changed Services

ry Processes
Information Security Management Budgeting & Accounting for IT Services

Management eporting

ocesses

Management nagement

Processes

Relationship Processes
Business Relationship Management Supplier Management

nagement nagement

PO1 - Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects AI1 Identify Automated Solutions AI2Acquire and Maintain Application Software AI3Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6Manage Changes AI7 Install and Accredit Solutions and Changes DS1Define and Manage Service Levels DS2Manage Thirdparty Services DS3Manage Performance and Capacity DS4Ensure Continuous Service DS5Ensure Systems Security DS6 Identify and Allocate Costs DS7Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance

PCI DSS Audit Questions and Checklists

Date: Location: Assessor: No Basic Requirement Status

Comply 1 2 3 4 5 6 Restrict access to cardholder data by business need-to7 know Assign a unique ID to each person with computer 8 access 9 Restrict physical access to cardholder data Track and monitor all access to network resources and 10 cardholder data 11 Regularly test security systems and processes Maintain a policy that addresses information security 12
No Audit Checklist Status

Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications

Comply Who has access to a specified file or other resource? 1 Who has had access to a given file or other resource in 2 the past? What resources a given individual has access to across 3 your entire enterprise? That password policies and other directory settings are correct and have remained so over time? 4 That inactive accounts were deleted within the allowed 5 timeframe?

6 That duplicate accounts do not exist? That account removal, modification, and addition is performed according to policies and requirements? 7 What security settings are currently in effect in your 8 environment? What security settings have been in effect in your 9 environment in the past? That security settings are consistently applied 10 throughout the environment? What changes have been made to security settings 11 over time? What privileges have been exercised by users, 12 particularly administrative users? Audit logs with all access by all users to all resources? 13 Audit logs with all actions taken by administrators? 14 Audit logs with all access to auditing information? 15 16 Audit logs with all invalid access attempts? Audit logs with all use of authentication mechanisms 17 such as Active Directory? Audit logs with all initialization (clearing) of audit logs? 18 Audit logs with all creation and deletion of system-level 19 objects? Proof that all systems are up-to-date with the latest 20 service releases? That you can detect unpatched systems and either correct the problem or alert an administrator to do so? 21 That the correct policies are in place to ensure secure 22 transmission of cardholder data? That secure transmission policies have remained in 23 effect continuously?

hecklists

Status

Notes

Not Comply

Status

Notes

Not Comply